FS#57456 - [munin] Root writing to a dir owned by a user
Attached to Project:
Community Packages
Opened by Doug Newgard (Scimmia) - Saturday, 10 February 2018, 07:16 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:00 GMT
Opened by Doug Newgard (Scimmia) - Saturday, 10 February 2018, 07:16 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:00 GMT
|
Details
The tmpfiles entry in this package creates /run/munin/ as
owned by munin:munin, but then the service files run the
daemons as root, causing the PID files to be written as root
to a dir owned by a user. This is a security risk and
systemd has disabled this in the current version, but
relaxed them a bit as too many daemons do the wrong thing
here. See
https://github.com/systemd/systemd/issues/8085
The service files should either be run as the user or the dir should be owned by root:root. |
This task depends upon
Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:00 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/munin/issues/2
Saturday, 25 November 2023, 20:00 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/munin/issues/2
FS#57457. If it's possible to simply have the daemon not fork, that would be a better solution that those I mentioned earlier.background 0
setsid 0
taken from http://guide.munin-monitoring.org/en/latest/reference/munin-node.conf.html
edit : I tried, munin-node can be run as munin:munin if user/group properties are properly setup in the config file.
As a consequence the permissions on /var/lib/munin/plugin-state/nobody/ have to be adapted accordingly